Kaspersky has uncovered a new malware infection that hijacks the victims’ interaction with HTTPS and allows the hackers to install rogue digital certificates and spy on the victims’ browser activity.
Known as Reductor, the malware was first sighted in April this year, and cybersecurity experts believe that a group known as Turla are behind it. Kaspersky claims that Turla are a Russian-speaking group, and that Reductor is connected to an earlier trojan known under the name COMpFun.
What makes Reductor unique, according to Kaspersky, is the fact that it can interfere in the process of exchanging information between the browser and a website. Usually, that’s done via the HTTPS protocol, and should be encrypted and inaccessible to third parties.
Still, a “skilled high-profile hacking group” could do it, it says. “Reductor is a tool developed for such intrusion and was used for cyber-espionage on diplomatic entities in CIS countries, primarily by monitoring their employees' internet traffic,” the cybersecurity company adds.
“What’s more, the found modules had RAT (Remote Administration Tool) functions and the capabilities of this malware were almost unlimited.”
Reductor was being spread either through COMpFun, or by injecting the malicious program into a legitimate software installer, found on a warez (underground software) website.
“While the original installers available on those websites were not infected, they would end up on the victims’ PCs carrying malware,” Kaspersky explains.
Once Reductor gets installed, it can manipulate installed digital certificates, patch the browser’s pseudo random number generator that’s used to encrypt the traffic. The hackers would also install both a hardware and a software-based identifier, to be able to identify their victims better.